Client Authentication:Fedora7

From SME Server
Revision as of 00:43, 20 November 2007 by Steever (talk | contribs) (→‎Method)
Jump to navigation Jump to search

Introduction

This how-to describes a method to authenticate a Fedora 7 workstation against SME Server, so that when users log in, their documents are available to them in a transparent manner.


Method

Section A - Install Fedora 7

  1. Install Fedora 7 choosing Gnome as the desktop. KDE may work but is untested.
  2. Turn off firewall.
  3. Turn off SE-Linux.
  4. Log in as root.
  5. Update all packages using the update manager.
  6. Reboot.

Section B - Setting up Samba and Winbind on Fedora

  1. Log in as root.
  2. In a terminal type yum groupinstall "Windows File Server". Press Y when asked.
  3. Then type yum install pam_mount
  4. Then type system-config-network
  5. The Network dialog will appear. Navigate to the DNS tab and enter host.example.com where it asks for hostname and host is the name you have chosen for your Fedora 7 workstation and example.com is your primary domain.
  6. Close this and type system-config-authentication
  7. The Authentication dialog will appear. Navigate to the User Information tab.
  8. Tick Enable Winbind Support
  9. Click the Configure Winbind button
  10. Fill in your SME Server workgroup in capitals in the Domain section - put DOMAIN not example.com, where DOMAIN is your workgroup in capitals.
  11. Choose Domain security model.
  12. Add the SME Server's host name to Winbind Domain Controller textbox.
  13. Change the template shell to /bin/bash.
  14. Click OK. Don't join the domain using the join button.
  15. Switch to the Authentication tab
  16. Tick Enable Winbind Support.
  17. Click the Configure Winbind button.
  18. Check the settings and click OK.
  19. Don't join the domain using the join button.
  20. Switch to the options tab.
  21. Tick the Use Shadow Passwords option.
  22. Tick the Use MD5 Passwords option.
  23. Tick the Local Authorization option.
  24. Click the OK button to save the settings and exit the authentication dialog.
  25. The terminal will show that winbind has started.
  26. If your workgroup is called DOMAIN, type mkdir /home/DOMAIN in the terminal.

Section C - Prep the SME Server

  1. Log in as root on the SME Server and type signal-event machine-account-create host$ and smbpasswd -a -m host$ where host is the hostname of your Fedora 7 workstation, minus the example.com - i.e. it should be a single word with no fullstops.

Section D - Joining the Domain

Back on the Fedora 7 Workstation:

  1. In the terminal type net rpc join -D DOMAIN -U admin where DOMAIN is your workgroup in capitals.
  2. Give the SME Server admin password when requested.
  3. You will see a message to the effect that you have joined the domain.
  4. Go to System...Administration...Services.
  5. Scroll down to smb, make sure the service is started and then tick it to make it start automatically.
  6. Save and exit.

Section E - Setting up Fedora to Authenticate

  1. In the terminal type gedit /etc/pam.d/system-auth and at the bottom add this line ...
  2. session required pam_mkhomedir.so skel=/etc/skel umask=0077
  3. add an extra blank line after that for luck. Save it and exit from gedit.
  4. In the terminal type gedit /etc/samba/smb.conf
  5. and change winbind use default domain from false to true. Save it and exit from gedit.
  6. In the terminal type /etc/init.d/smb restart and /etc/init.d/winbind restart
  7. Then type yum install xdm
  8. Then type gedit /etc/pam.d/login
  9. A. add an extra line under %PAM-1.0
  10. B. Type auth required pam_mount.so so that it lines up with the other entries.
  11. C. Then on the last line (add a line if necessary) type session optional pam_mount.so so that it lines up.
  12. D. Then add an extra line just for luck
  13. E. Save and exit from gedit.
  14. Then repeat A - E for /etc/pam.d/gdm and /etc/pam.d/xdm
  15. If you installed KDE, you should probably modify the kdm entry the same way, but I did not try this.

Section F - Setting Up Automount

  1. In the terminal type gedit /etc/security/pam_mount.conf
  2. Comment out the line options_require nosuid, nodev by placing a # in front of it.
  3. Go to line 116 and press enter to start a new line without a # in front
  4. Type volume * cifs server & /home/DOMAIN/& uid=& - - where server is your SME Server's host name and DOMAIN is your workgroup in capitals. Save and exit from gedit.

Section G - Setting up the Display Manager

  1. Restart smb and restart winbind just for luck.
  2. Go to System...Administration...Login Screen...Local and choose a theme without a face browser.
  3. Change to the Security tab and untick Deny TCP connections and Only allows logins if user owns their home directory.
  4. From the three choices at the bottom, choose Allow login if all write permissions on user's home directory.
  5. Restart the computer and log in as an SME Server user.

Conclusion

I think this system works very well.

The users shares are not unmounted on logout, but permissions are strong enough to maintain security and privacy.

On reboot the shares are unmounted.

I will try to create a script that unmounts the shares upon logout and update this documentation.

This is actually quite straight forward compared to getting Ubuntu to authenticate.

Retrieved from "https://wiki.koozali.org/index.php?title=Client_Authentication:Fedora7&oldid=6443"